Hello,

In my test environment, I am running Vault 0.6.4 with Consul 0.7.2 backend and have created few users which are working as expected on CLI.

🍺  ~$ vault auth -method=userpass username=vikas
Password (will be hidden):
Successfully authenticated! You are now logged in.
The token below is already saved in the session. You do not
need to "vault auth" again with the token.
token: b0459465-e88a-0f49-54ee-13f908605e64
token_duration: 2764799
token_policies: [admins default]
🍺  ~$
🍺  ~$ vault write secret/project/myproject/hello value=vikas
Success! Data written to: secret/project/myproject/hello
🍺  ~$

But, I am unable to login thru the UI. This my basic compose file and the error logs.

# cat docker-compose.yml
version: '2'

services:
  vault:
    image: "nyxcharon/vault-ui:latest"
    container_name: vault-ui
    ports:
      - 80:80
    environment:
      - VAULT_ADDR=http://192.168.1.81
      - VAULT_PORT=8200
      - AUTH_METHODS=Userpass
#

These are the errors of docker container

# docker logs -f vault-ui
[pid: 14|app: 0|req: 11/13] 172.21.0.1 () {40 vars in 550 bytes} [Sat Dec 31 11:28:50 2016] POST /v1/auth/userpass/login/vikas => generated 1528 bytes in 1 msecs (HTTP/1.1 200) 2 headers in 81 bytes (1 switches on core 0)
[pid: 14|app: 0|req: 11/14] 192.168.1.1 () {46 vars in 874 bytes} [Sat Dec 31 11:28:50 2016] POST /login?next=http%3A%2F%2F192.168.1.81%2F => generated 2760 bytes in 13 msecs (HTTP/1.1 200) 2 headers in 81 bytes (1 switches on core 1)
Error logging in: No JSON object could be decoded
[pid: 14|app: 0|req: 12/15] 192.168.1.1 () {40 vars in 630 bytes} [Sat Dec 31 11:28:50 2016] GET /static/app.css => generated 1363 bytes in 1 msecs via sendfile() (HTTP/1.1 200) 7 headers in 279 bytes (0 switches on core 0)

This is the error on Web UI

Support MFA authentication, as it's just extensions onto userpass and ldap
https://www.vaultproject.io/docs/auth/mfa.html

would it be possible to add an option to not verify ssl? I am attempting to use this with an internal self signed cert with is not trusted by default. I am constantly getting failure to log in, and i believe this may be the issue.

Entering the wrong username/password combination doesn't display any errors on the login page

Currently if you don't have access to things on a page (example: policies) you just get a blank white page. Replace this with a "You don't have permission to view this message"

My vault is hooked up to LDAP auth backend. I'd love to use it to authenticate. Would really make life a breeze for our operators.

Just discovering this project and haven't actually deployed it yet so forgive me if this is underway already. I may be able to find some bandwidth to help with this issue as well.

Hello I am using vault 0.6.2 with ldap authentication. I am stuck in the following bug/error:

Vault Policy:
vault policies secret

path "sys/" {
policy = "read"
}
path "secret/" {
policy = "write"
}
path "secret/foo" {
policy = "read"
}
path "auth/token/lookup-self" {
policy = "read"
}

vault auth -method=ldap username=testuser

Successfully authenticated! You are now logged in.
The token below is already saved in the session. You do not
need to "vault auth" again with the token.
token: 00000000-11aa-aa00-111f-42f31e766282
token_duration: 2763360
token_policies: [default secret]

In Vault-ui I am able to authenticate using my ldap credentials:

[pid: 9462|app: 0|req: 6/7] 192.168.168.1 () {44 vars in 860 bytes} [Tue Oct 18 15:01:18 2016] GET /login?next=http%3A%2F%2F192.168.168.162%2F => generated 1790 bytes in 3 msecs (HTTP/1.1 200) 2 headers in 81 bytes (1 switches on core 1)
[pid: 9464|app: 0|req: 2/8] 192.168.168.1 () {50 vars in 1054 bytes} [Tue Oct 18 15:01:23 2016] POST /login?next=http%3A%2F%2F192.168.168.162%2F => generated 209 bytes in 3601 msecs (HTTP/1.1 302) 4 headers in 295 bytes (1 switches on core 1)
[pid: 9462|app: 0|req: 7/9] 192.168.168.1 () {46 vars in 927 bytes} [Tue Oct 18 15:01:27 2016] GET / => generated 2535 bytes in 1 msecs (HTTP/1.1 200) 2 headers in 81 bytes (1 switches on core 0)

I can also get the policies :

[pid: 9462|app: 0|req: 8/10] 192.168.168.1 () {44 vars in 864 bytes} [Tue Oct 18 15:04:35 2016] GET /policies => generated 3718 bytes in 7 msecs (HTTP/1.1 200) 2 headers in 81 bytes (1 switches on core 1)

Any other option will give me a permission denied with similar uwsgi exception (ie secrets:):

Traceback (most recent call last):
File "/u01/app/vault-ui/env/lib/python2.7/site-packages/flask/app.py", line 2000, in call
return self.wsgi_app(environ, start_response)
File "/u01/app/vault-ui/env/lib/python2.7/site-packages/flask/app.py", line 1991, in wsgi_app
response = self.make_response(self.handle_exception(e))
File "/u01/app/vault-ui/env/lib/python2.7/site-packages/flask/app.py", line 1567, in handle_exception
reraise(exc_type, exc_value, tb)
File "/u01/app/vault-ui/env/lib/python2.7/site-packages/flask/app.py", line 1988, in wsgi_app
response = self.full_dispatch_request()
File "/u01/app/vault-ui/env/lib/python2.7/site-packages/flask/app.py", line 1641, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/u01/app/vault-ui/env/lib/python2.7/site-packages/flask/app.py", line 1544, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/u01/app/vault-ui/env/lib/python2.7/site-packages/flask/app.py", line 1639, in full_dispatch_request
rv = self.dispatch_request()
File "/u01/app/vault-ui/env/lib/python2.7/site-packages/flask/app.py", line 1625, in dispatch_request
return self.view_functionsrule.endpoint
File "./decorators.py", line 10, in decorated_function
return f(_args, *_kwargs)
File "app.py", line 59, in secrets
return render_template('secrets.html', secrets=vault_secrets(session['vault_token']))
File "./vault.py", line 42, in vault_secrets
secrets = client.list('secret')['data']['keys']
File "/u01/app/vault-ui/env/lib/python2.7/site-packages/hvac/v1/init.py", line 56, in list
return self._get('/v1/{}'.format(path), params=payload).json()
File "/u01/app/vault-ui/env/lib/python2.7/site-packages/hvac/v1/init.py", line 894, in _get
return self.__request('get', url, **kwargs)
File "/u01/app/vault-ui/env/lib/python2.7/site-packages/hvac/v1/init.py", line 936, in request
self.__raise_error(response.status_code, text, errors=errors)
File "/u01/app/vault-ui/env/lib/python2.7/site-packages/hvac/v1/__init.py", line 946, in __raise_error
raise exceptions.Forbidden(message, errors=errors)
hvac.exceptions.Forbidden: permission denied
[pid: 9462|app: 0|req: 9/11] 192.168.168.1 () {44 vars in 870 bytes} [Tue Oct 18 15:05:38 2016] GET /secrets => generated 0 bytes in 13 msecs (HTTP/1.1 500) 0 headers in 0 bytes (0 switches on core 0)

because of it nginx is giving a 502 bad gateway.

I can access secrets normally with my ldap user using the vault cli.

Any pointers or help would be appreciated.

Seeing the following in startup:

WARNING: NODE_ENV value of 'production' did not match any deployment config file names.
WARNING: See https://github.com/lorenwest/node-config/wiki/Strict-Mode

Per the URL, this is probably a fairly simple fix.

Use vault list capabilities instead of consul hack to list all the secrets in vault. Requires vault >= 5.0

When accessing a non existing URL the following traceback occurs :
Traceback (most recent call last): File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 2000, in __call__ return self.wsgi_app(environ, start_response) File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1991, in wsgi_app response = self.make_response(self.handle_exception(e)) File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1567, in handle_exception reraise(exc_type, exc_value, tb) File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1988, in wsgi_app response = self.full_dispatch_request() File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1641, in full_dispatch_request rv = self.handle_user_exception(e) File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1544, in handle_user_exception reraise(exc_type, exc_value, tb) File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1639, in full_dispatch_request rv = self.dispatch_request() File "/usr/local/lib/python2.7/dist-packages/flask/app.py", line 1625, in dispatch_request return self.view_functions[rule.endpoint](**req.view_args) File "/opt/vault-ui/decorators.py", line 13, in decorated_function return func(*args, **kwargs) File "/opt/vault-ui/app.py", line 86, in read_secret return render_template('secret.html', path=path, secret=list_secret(session['vault_token'], path)) File "/opt/vault-ui/vault.py", line 109, in list_secret return client.read(path)['data'] TypeError: 'NoneType' object has no attribute '__getitem__'

Secret folders collapse, however the individual secrets don't collapse after looking at them. They should collapse just like the folders do.

Provide a way to surface vault-ui under https so secrets aren't sent over the network unencrypted.

If no Vault can be reached from the $VAULT_ADDR, don't display the prompt (basically do a status check very early on).

Using :latest works fine instead, should probably just suggest that instead.

    $ docker run -p 80:80 -e VAULT_ADDR=http://myip:8200 nyxcharon/vault-ui:1.0.0
    Unable to find image 'nyxcharon/vault-ui:1.0.0' locally
    Pulling repository docker.io/nyxcharon/vault-ui
    docker: Tag 1.0.0 not found in repository docker.io/nyxcharon/vault-ui.

root@vaultui:/home/mukolaich# docker run -it -p 3030:3030 -p 8080:8080 -e VAULT_HOST=10.10.20.205 -e CONSUL_HOST=localhost nyxcharon/vault-ui
npm info it worked if it ends with ok
npm info using [email protected]
npm info using [email protected]
npm info lifecycle [email protected]prestart: [email protected]
npm info lifecycle [email protected]start: [email protected]

[email protected] start /usr/src/app
concurrent --kill-others "npm run start-prod" "npm run start-prod-api"

[1] npm
[1] info it worked if it ends with ok
[1] npm info using [email protected]
[1] npm info using [email protected]
[0] npm
[0]
[0] info
[0]
[0] it worked if it ends with
[0] ok
[0] npm
[0]
[0] info
[0]
[0] using
[0] [email protected]
[0] npm
[0]
[0] info
[0]
[0] using
[0] [email protected]
[1] npm
[1] info lifecycle [email protected]prestart-prod-api: [email protected]
[1] npm
[1] info lifecycle [email protected]start-prod-api: [email protected]
[1]
[1] > [email protected] start-prod-api /usr/src/app
[1] > better-npm-run start-prod-api
[1]
[0] npm
[0] info lifecycle [email protected]prestart-prod: [email protected]
[0] npm
[0] info lifecycle [email protected]start-prod: [email protected]
[0]
[0] > [email protected] start-prod /usr/src/app
[0] > better-npm-run start-prod
[0]
[1] running better-npm-run in /usr/src/app
[1] Executing script: start-prod-api
[1]
[1] to be executed: node ./bin/api.js
[0] running better-npm-run in /usr/src/app
[0] Executing script: start-prod
[0]
[0] to be executed: node ./bin/server.js
[1] Attempting to discover location of consul data
[1] WARNING: NODE_ENV value of 'production' did not match any deployment config file names.
[1] WARNING: See https://github.com/lorenwest/node-config/wiki/Strict-Mode
[1] Warning: connect.session() MemoryStore is not
[1] designed for a production environment, as it will leak
[1] memory, and will not scale past a single process.
[1] ----
[1] ==> 🌎 API is running on port 3030
[1] ==> 💻 Send requests to http://localhost:3030
[1] Unhandled rejection Error: connect ECONNREFUSED 127.0.0.1:8500
[1] at Object.exports._errnoException (util.js:855:11)
[1] at exports._exceptionWithHostPort (util.js:878:20)
[1] at TCPConnectWrap.afterConnect as oncomplete
[0] Warning: connect.session() MemoryStore is not
[0] designed for a production environment, as it will leak
[0] memory, and will not scale past a single process.
[0] ----
[0] ==> ✅ Vault UI is running, talking to API server on 3030.
[0] ==> 💻 Open http://localhost:8080 in a browser to view the app.

root@vaultui:/home/bla# telnet 127.0.0.1 8500
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
^]

Rather than taking VAULT_ADDR=.. at container startup time, take the address of a Consul server and the Consul service name to run a lookup of, so that the UI tracks any Vault instance moves.

Maybe this is implied but I figured I would put in an issue so it can be tracked.. but this tool would be much more useful if we could create or update secrets once authenticated as well.

So I wanted to play around with this and Vault. I've gotten Vault running in dev mode and your container running, but I am not sure what to put in as my username and password for your UI....

Replace consul hack for listing users with built in list functionality. Requires vault 0.5.3 (not yet released at time of writing)

I have a user with the "root" policy however i am only able to see one of my generic secret backends secrets. I am able to see all mounts and users, etc. however when i try to view secrets it only lists one of the backends secrets. is there a way to switch backends? when making rest calls directly from postman i am able to see the missing secrets

• Add a drop down box to login page to allow selection of auth type
• List of auth methods should be configured via the settings file

In particular for CONSUL_HOST and VAULT_HOST these are currently explicitly set in package.json so effectively overriding the variable values if the user sets them e.g. when using docker.

e.g.

    "start-prod-api": {
      "command": "node ./bin/api.js",
      "env": {
        "NODE_PATH": "./api",
        "NODE_ENV": "production",
        "API_PORT": 3030,
        "VAULT_HOST": "vault.service.consul",
        "CONSUL_HOST": "consul.service.consul"
      }
    },

The defaulting should probably occur in config.js.

Page should be rendered, javascript fetch vault information, then update the page vs the current version of the server doing everything causing some pages to render slowly.

There's a new shiny version of vault-ui on master. See the react tag for reasons why it was switched to flask.

Improvements:

• 7 dependencies instead of 30+
• Smaller docker image
• Actually able to read the code now
• Slight css changes
• New health check endpoint
• Added error pages
• Simpler configuration
• Agnostic to vault backed now

Cons:

• Some pages load slow, this will be fixed soon (Currently pulling/rendering everything server side, switching this to loading the page, then having javascript fetch the information)

Sorry for the noob question, but how do I use the setting "VAULT_SSL_CA"? My vault uses an internal CA for which I have the issuer certificate.

I started my Docker container like this:

docker run -p 80:80 -e VAULT_ADDR=https://vault.address.lan:8200/ -e AUTH_METHODS=LDAP -e VAULT_SSL_CA=/path/to/issuer_ca.crt nyxcharon/vault-ui:latest

But when I try to login, I get the following error on the console:

[pid: 24|app: 0|req: 1/2] xxx.xxx.xxx.xxx () {40 vars in 669 bytes} [Tue Dec  6 14:53:21 2016] GET /login?next=http%3A%2F%2Flocalhost%2F => generated 2571 bytes in 31 msecs (HTTP/1.1 200) 2 headers in 81 bytes (1 switches on core 0)
Error logging in: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:590)

Also, you should check your README.md, it says:
"Full path to the SSL certificate authority used to verify VAUT_URL's cert when it uses https."
Should be:
"Full path to the SSL certificate authority used to verify VAULT_ADDR's cert when it uses https."